LCZ-NT4-S 1.1 16 May 2009 This document specifies technical security policy for implementations of Microsoft Windows NT4.0, and applies to domain controller implementations of NT4.0. 1.1 16 May 2009 FOD Revised for re-release 1.0 05 February 2003 LCZ Initial Version for public release 2001200220032009 Frank O'Dwyer To specify a baseline configuration for implementations of <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0 server. To provide guidance to administators, developers and security personnel in securely implementing <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0 server. Controls specified in this document apply to server implementations of NT4.0. All of the organisation's NT4.0 server systems will be subject to the policies specified within this security standard. The policies will be applied to new and existing installations. Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from your Information Security team consultancy function. This is a specific standard for NT4.0 servers. Controls specific to workstation, domain controller, and generic controls common to all are not specified in this document and are the subject of separate standards. Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt. An Information Asset equates to any computerised information system or component thereof and thus includes an application, an item of off the shelf software, hardware, media, a data item, a data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous, except where a control relates to any Information Asset. The use of must or will indicates what the author considers to be a mandatory control. However, whether the controls listed here are mandatory for your organisation is entirely at your organisation's discretion and thus they should be interpreted as representing the strongest recommendation of the author. The use of should or recommended or ought indicates that the author believe that the controls in question are worthwhile and should be implemented unless such an implementation is impossible, onerous or impractical. Again, the implementation of controls so recommended in this document is entirely at your organisation's discretion. The advanced user right to increase quotas must be held by administrators only Is the advanced user right to increase quotas must be held by administrators only Ensure that the administrators group holds this right Ensure that only administrator staff are members of the administrators group Business information and services may be subject to a loss of availability The advanced user right to lock pages in memory must be held by no one. Is the advanced user right to lock pages in memory held by no one? Ensure that no one holds this right Business information and services may be subject to a loss of availability The user right to backup files and directories must only be held by Backup Operators Is the user right to backup files and directories only held by Backup Operators? Ensure that only operators are in the backup operators group Ensure that the backup operators group hold the backup files and directories user right Business information may be subject to unauthorised disclosure Business information may be subject to a loss of availability The advanced user right to log on as a batch job must be held by no one. Is the advanced user right to log on as a batch job held by any user? Ensure that no one holds this right Business information and services may be subject to a loss of availability Remote Acess Server must be enabled only if required If Remote Acess Server is enabled is it required? Disable remote access server if it is not required Remote access server allows users potentially to gain unauthorised remote access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. File and directory permissions must be restricted on the basis of least privilege Are file and directory permissions restricted on the basis of least privilege? Ensure that the access permitted for each file and directory permits the minimum access permissions Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Replication must be implemented only at the administrator level Is replicationimplemented only at the administrator level? Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Auditing should be enabled for RAS for failed authentication and authentication timeout Is auditing enabled for RAS for failed authentication and authentication timeout? Set up auditing to audit for failed authentication and authentication timeout Business information and applications may be unavailable. Business information may be disclosed Business information may be maliciously altered Failed attempts to delete documents in a print queue should be audited Are failed attempts to delete documents in a print queue audited? Set up auditing to audit for failed attempts to delete documents in a print queue Business information and applications may be unavailable. Failed attempts to take ownership of documents should be audited Are failed attempts to take ownership of documents audited? Set up auditing to audit for failed attempts to take ownership of documents in a print queue Business information and applications may be unavailable. Business information may be disclosed Business information may be maliciously altered Failed attempts to change permissions on a print queue should be audited Are failed attempts to change permissions on a print queue audited? Set up auditing to audit for failed attempts to delete documents in a print queue Business information and applications may be unavailable. RAS should be set up to encrypt logon information by any remote client before sending across the network Is RAS set up to encrypt logon information by any remote client before sending across the network? RAS should be configured to encrypt logon information by any remote client before sending across the network Account logon details may be compromised Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.